From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D77C51A1EC8 for ; Wed, 7 Sep 2016 01:22:10 -0700 (PDT) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga102.jf.intel.com with ESMTP; 07 Sep 2016 01:22:11 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.30,295,1470726000"; d="scan'208";a="5465702" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga006.fm.intel.com with ESMTP; 07 Sep 2016 01:22:10 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 7 Sep 2016 01:22:09 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.102]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.166]) with mapi id 14.03.0248.002; Wed, 7 Sep 2016 16:21:33 +0800 From: "Wu, Jiaxin" To: Thomas Palmer , "edk2-devel@lists.01.org" Thread-Topic: [edk2] [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate Thread-Index: AQHR/81V6AngWouQpke+BlqIt/A2SKBtvTMQ Date: Wed, 7 Sep 2016 08:21:32 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B7274137FAB76@SHSMSX103.ccr.corp.intel.com> References: <1472238525-40024-1-git-send-email-thomas.palmer@hpe.com> <1472238525-40024-2-git-send-email-thomas.palmer@hpe.com> In-Reply-To: <1472238525-40024-2-git-send-email-thomas.palmer@hpe.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZmIxMTYxNmItZDNhMy00MzZlLTk5NmMtNjU1NDlhMmNkNDgwIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX1BVQkxJQyJ9XX1dfSwiU3ViamVjdExhYmVscyI6W10sIlRNQ1ZlcnNpb24iOiIxNS45LjYuNiIsIlRydXN0ZWRMYWJlbEhhc2giOiJOM2gwT0dXQ1dXQ1JJV1N2aE9cL25zMTF4OExpSm12ekFJOUc4VmtuRmpCTT0ifQ== x-ctpclassification: CTP_PUBLIC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 08:22:11 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thomas, Sorry for the delayed response. The patch is good to me, only one comments: > + TlsCtx =3D SSL_CTX_new (SSLv23_client_method ()); if (TlsCtx =3D=3D N= ULL) > + { > + ASSERT (TlsCtx !=3D NULL); > + return NULL; > + } I think we can remove the assert. Return NULL is fine here. Reviewed-by: Wu Jiaxin Thanks, Jiaxin > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Thomas Palmer > Sent: Saturday, August 27, 2016 3:09 AM > To: edk2-devel@lists.01.org > Cc: Wu, Jiaxin > Subject: [edk2] [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: > CryptoPkg/TlsLib: TLS Ver negotiate >=20 > The TLS protocol allows for clients and servers to negotiate which versio= n of > TLS to use. Newer versions are deemed safer, so when they are available = the > client and server should opt to use them. >=20 > The EDK2 TLS code today only allows TLSv1.0 for TLS communication, > regardless of the target server's capabilities. In order to use the newer > protocols, we'll update the EDK2 TlsLib.c code to allow for TLS version > negotiation when a new TLS object is created. The TLS version specified i= n > TlsCtxNew will be the minimum version accepted. >=20 > Because EDK2 is not yet using OpenSSL 1.1, we use SSL_set_options to > simulate SSL_CTX_set_min_proto_version. >=20 > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Thomas Palmer > --- > CryptoPkg/Library/TlsLib/TlsLib.c | 21 +++++++++++++++++---- > 1 file changed, 17 insertions(+), 4 deletions(-) >=20 > diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c > b/CryptoPkg/Library/TlsLib/TlsLib.c > index aa08595..0ff699b 100644 > --- a/CryptoPkg/Library/TlsLib/TlsLib.c > +++ b/CryptoPkg/Library/TlsLib/TlsLib.c > @@ -195,26 +195,39 @@ TlsCtxNew ( >=20 > ProtoVersion =3D (MajorVer << 8) | MinorVer; >=20 > - TlsCtx =3D NULL; > + TlsCtx =3D SSL_CTX_new (SSLv23_client_method ()); if (TlsCtx =3D=3D N= ULL) > + { > + ASSERT (TlsCtx !=3D NULL); > + return NULL; > + } > + > + // > + // Ensure SSLv3 is disabled > + // > + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3); >=20 > + // > + // Treat as minimum accepted versions. Client can use higher // TLS > + version if server supports it // > switch (ProtoVersion) { > case TLS1_VERSION: > // > // TLS 1.0 > // > - TlsCtx =3D SSL_CTX_new (TLSv1_method ()); > break; > case TLS1_1_VERSION: > // > // TLS 1.1 > // > - TlsCtx =3D SSL_CTX_new (TLSv1_1_method ()); > + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1); > break; > case TLS1_2_VERSION: > // > // TLS 1.2 > // > - TlsCtx =3D SSL_CTX_new (TLSv1_2_method ()); > + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1); > + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1); > break; > default: > // > -- > 2.7.4 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel